Overview

DreamFactory Authentication and Authorization is designed to accommodate all sophisticated Authentication and Authorization requirements for a modern web and mobile applications. DreamFactory provides extensive Authentication and Authorization features. Single sign-on, user per-application roles,
and role-based access are all carefully implemented to provide a secure, robust, and scalable platform for authenticating and controlling user access to all services and resources.

DreamFactory separates administrators from other users. Every DreamFactory instance must have at least one administrator
configured at installation. Administrators can log in, use the admin console, perform API calls, do not have roles, and
are not required to use API keys for access. Non-administrators are generally the users of the applications running on a
DreamFactory instance.

Each application has a unique API key. All non-administrator users are required to use an API key
to access the system. Roles are assigned to a user on per-application basis. This enables the flexibility of having a
single user with different roles across different applications in the system. Each application can also have a default role
assigned. If no role is assigned to a user for an application, then access is controlled by the default application role.

Administrative updates to system resources are instantly reflected across all connections. Most system resources have an
active/inactive state. When an administrator deactivates a user, application, role, or service, any further access to that
resource is denied. For example, if a user or role is deactivated, any associated session tokens become invalid immediately.
If an application is deactivated, any attempted access with that application’s API key is denied. This provides a more
secure environment at multiple levels of the API for events like people entering or leaving the company, service abuse,
or temporary disablement of system resources.

DreamFactory supports the standard username and password-based authentication, but it can also be provisioned to utilize
most common OAuth providers, and even LDAP and Active Directory.

Authentication

JSON Web Token (JWT)

DreamFactory utilizes the JSON Web Token (JWT) technology at its core for authentication and session management. JWT is
a simple JSON based open standard (RFC 7519) for passing claims (session-related data) between client and server in a web
environment. These claims are encrypted, digitally-signed, and tokenized using a standard format to make it url safe and
usable in a web browser single sign-on context. You can find out more details about JWT and it's implementation here.

Standard Username/Password based Authentication

Like any standard web application, DreamFactory supports simple username/password based authentication. When users
successfully sign on to a DreamFactory instance using their username and password or via provisioned OAuth or AD/LDAP
services (more on that below), they receive a JWT (token) that contains (encrypted and digitally signed) the identity of
the user and the connection. This token is controlled by a configurable renewal and expiration policy and needs to be
securely stored on the client. It must be included for all authenticated API usage.

OAuth

DreamFactory supports authentication using OAuth services. Developers can allow end users to log in with credentials
from sites like Facebook, Twitter (yes, OAuth 1.0 is supported!), LinkedIn, Google, and GitHub.

DreamFactory makes it super easy to add OAuth services to your apps without any server-side coding and token handling.
The currently supported OAuth service providers are Facebook, Twitter, LinkedIn, Google, and GitHub, and we’ll be adding more
OAuth providers in the future.

OAuth in a DreamFactory instance works just like other services in DreamFactory. It starts with provisioning an OAuth service
using the Services tab in the DreamFactory admin console. While provisioning the service, simply specify your OAuth
service details, such as key, secret, redirect url etc., as well as a default role or application specific roles. This role will be used for any users
authenticating using your OAuth service.

AD/LDAP

DreamFactory has built-in support for Active Directory authentication over LDAP. Developers can now provide the ability
for their users to sign in using their enterprise/corporate log in credentials. You can easily set up
an enterprise app to allow users to sign in using their corporate username and password, eliminating the need for creating
and remembering yet another username and password.

AD/LDAP in DreamFactory works just like other services. It starts with provisioning an AD/LDAP service using the Services
tab in the DreamFactory admin console. While provisioning the service, simply specify your Active Directory server details
such as hostname, base dn etc. as well as a default role or application specific roles. This role will be used for any users authenticating using your
AD/LDAP service.

SAML 2.0

DreamFactory has built-in support for SAML 2.0 Single Sign On. Developers can now provide the ability
for their users to sign in using their external SAML 2.0 identity providers (IdP). You can easily set up
an app to allow users to sign in using their pre-existing username and password from a SAML 2.0 IdP, eliminating the need for creating
and remembering yet another username and password.

SAML 2.0 service in DreamFactory works just like other services. It starts with provisioning an SAML 2.0 service using the Services
tab in the DreamFactory admin console. While provisioning the service, simply specify your SAML 2.0 configuration details
such as IdP EntityId, IdP SSO service URL, IdP x509cert etc. as well as a default role or application specific roles. This role will be used for any users authenticating using your
SAML 2.0 service.

Authorization

Application API Key

Applications in a DreamFactory instance can represent actual application code hosted on the instance, code hosted
elsewhere on another server, or a designation for a native mobile app. Each application gets an API key generated at
creation. The API key must be used for all access to the API. The API key can
be regenerated by administrative request, however care must be taken that all uses of the old key are updated
(i.e. this is more difficult for a key embedded in a native mobile application).

Applications can be given “guest” access by assigning a default role to an application, detailing what resources should
be accessible without user authentication. This is useful, if your application has an open “website” or kiosk mode.

Role-Based Access Control

DreamFactory offers granular role-based access control to all services and resources in the system. SQL databases
have various tables, NoSQL databases have collections of documents, and File Storage Systems have different folders.
In a DreamFactory instance, administrators can define roles with role-based access controls to govern which of these
components are visible to a given user, along with HTTP verbs such as GET, POST, PUT, PATCH or DELETE that govern access.
Various combinations of these verbs and service resources can be used to grant or deny access.

Role-based access controls allow information to be hidden from certain roles and their assigned users or applications.
For example, individual sales people might not have access to salary information, while this data might be available to
managers. This capability prevents accidental data loss or disclosure of sensitive information.

Record-Level Access Control

Roles can be customized further with server-side filters to implement record-level access control. Each filter takes the
form of a "field operator value" equation that must be true to enable access. The record-level access controls can impose
constraints on external data sources. For example, you can limit data visibility only to records that the user created.
This feature provides fine-grained security control of data sources.

Lookups

DreamFactory also offers lookup keys to inherit more complex permissions from a SQL database. You can configure server-side
lookup keys to connect a user or role to the corresponding user or role on a remote database. This allows DreamFactory to
mimic existing database access control, or change them as needed for mobile deployments.